What's new

Wireguard Session Manager - Discussion (2nd) thread

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hey!

Thanks again for the answers. I generated a new Wireguard key from my provider OVPN.com tried it on my iPhone with the iOS Wireguard app and no issues.

Uploaded the conf file to the router and did an import. Compared the original and the ported one, and the only difference was that in the ported conf, DNS and Address were disabled with #.

Started the imported key in WGM and Internet stops
I think @ZebMcKayhan may have identified a bug with the WAN KILL-Switch feature.....however until I can release a possible fix....

Could you please issue:
Code:
e  = Exit Script [?]

E:Option ==> killswitch off
If there is still no internet you will need to provide a diagnostic dump
Code:
e  = Exit Script [?]

E:Option ==> diag
You should redact the Private key etc., and if you would rather not publically post the diag output then you can PM the output to me

EDIT: I see @ZebMcKayhan has already offered support!
 
Hey! I will try after work today or tomorrow and get back to you. Thanks for the help, much appreciated.

You have a good day.
 
@Martineau
Whenever I issue the
Code:
E:Option ==> killswitch on

There is no real useful information more than the green ENABLED sign in the corner. Perhaps in a future release there could be some text like
"KILLSWITCH temporarily enabled. Use vx to change KILLSWITCH permanently"
To assist the user of what has happened, what to expect and what to do from here?

And of course similar when turning it off.

Just a suggestion.

//Zeb
I've uploaded v4.12b to the dev Github branch

  • FIX: KILL-Switch should not be permanently ENABLED during the initial install.
  • CHANGE: Provide additional "inline documentation" regarding the implementation/management of the KILL-Switch

  • FIX: Menu option 11 incorrectly shown on small SSH terminal screen sizes (ColumnxRow less than 188x38}
  • CHANGE: Visually enhance menu display to show which keywords are recognised as aliases to their numeric equivalents (7 is now qrcode)
1634552819651.png


To implement the "inline documentation", please issue
Code:
e  = Exit Script [?]

E:Option ==> createconfig

    Warning: WireGuard configuration file '/jffs/addons/wireguard/WireguardVPN.conf' already exists!...renamed to 'WireguardVPN.conf20211018-104210'

    Creating WireGuard configuration file '/jffs/addons/wireguard/WireguardVPN.conf'
but be aware that you may need to manually review the '.config' using command vx to check the new default settings against those saved in the backup.

Now anytime you check the status of the WAN KILL-Switch, you should get a true indication of whether it is a permanent setting (defined in the '.config') or transient/temporary , as a result of using the killswitch command.

e.g.
Code:
e  = Exit Script [?]

E:Option ==> ?

    v4.12b WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
    MD5=fe9c47e30912896a5ebe2a5e21914c9d /jffs/addons/wireguard/wg_manager.sh

    [✔] arch=aarch64

    wireguard: WireGuard 1.0.20210606 loaded. See www.wireguard.com for information.
    wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

    [✔] WireGuard Module is LOADED

    MD5=078460d2aa2a5a7839f7d5fd22cd2f77 wireguard-kernel_1.0.20210606-k27_1_aarch64-3.10.ipk
    MD5=3c3fef331578bcd20714a148b96257f8 wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk

    [✔] DNSmasq is listening on ALL WireGuard interfaces 'wg*'

    [✔] firewall-start is monitoring WireGuard Firewall rules

    [✖] WAN KILL-Switch is DISABLED (use 'vx' command for info)
    [✖] UDP monitor is DISABLED

    [ℹ ] Reverse Path Filtering ENABLED

    [✔] Statistics gathering is ENABLED

    WireGuard ACTIVE Peer Status: Clients 2, Servers 1
Code:
e  = Exit Script [?]

E:Option ==> killswitch on

KILL-Switch ACTIVE  WireGuard ACTIVE Peer Status: Clients 2, Servers 1

Code:
e  = Exit Script [?]

E:Option ==> ?

    v4.12b WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
    MD5=fe9c47e30912896a5ebe2a5e21914c9d /jffs/addons/wireguard/wg_manager.sh

    [✔] arch=aarch64

    wireguard: WireGuard 1.0.20210606 loaded. See www.wireguard.com for information.
    wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

    [✔] WireGuard Module is LOADED

    MD5=078460d2aa2a5a7839f7d5fd22cd2f77 wireguard-kernel_1.0.20210606-k27_1_aarch64-3.10.ipk
    MD5=3c3fef331578bcd20714a148b96257f8 wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk

    [✔] DNSmasq is listening on ALL WireGuard interfaces 'wg*'

    [✔] firewall-start is monitoring WireGuard Firewall rules

    [✔] WAN KILL-Switch is temporarily ENABLED (use 'vx' command for info)
    [✖] UDP monitor is DISABLED

    [ℹ ] Reverse Path Filtering ENABLED

    [✔] Statistics gathering is ENABLED

KILL-Switch ACTIVE  WireGuard ACTIVE Peer Status: Clients 2, Servers 1

@ZebMcKayhan , if you have time to test, let me know if this is OK
 

Attachments

  • 1634552534159.png
    1634552534159.png
    157.3 KB · Views: 69
Last edited:
So I apologize for the very noob questions...
1 - what is the location and best method for copying the wireguard config files onto the router?
2 - what is the proper command for then importing that config file to be client wg11?

When I tried this last night the import didn't work properly, I'm sure I was doing it wrong. I decided to just start over and formatted the jffs and the usb. I am currently on a AC86u with 386.3_2 (no other addons installed except entware), just installed v4.12b. I have an untouched Mullvad wireguard conf file available. My intention is to just have a basic client connection to the Mullvad servers and don't need any special routing policies. I was previously successful using Odkrys' method. I know this Session Manager is probably overkill for me, but I wanted to try and learn to use it. Thanks for any help!
 
So I apologize for the very noob questions...
1 - what is the location and best method for copying the wireguard config files onto the router?
2 - what is the proper command for then importing that config file to be client wg11?

When I tried this last night the import didn't work properly, I'm sure I was doing it wrong. I decided to just start over and formatted the jffs and the usb. I am currently on a AC86u with 386.3_2 (no other addons installed except entware), just installed v4.12b. I have an untouched Mullvad wireguard conf file available. My intention is to just have a basic client connection to the Mullvad servers and don't need any special routing policies. I was previously successful using Odkrys' method. I know this Session Manager is probably overkill for me, but I wanted to try and learn to use it. Thanks for any help!
For tested good config, you can rename it as wg11.conf and copy it into /opt/etc/wireguard.d/. Then in wgm,
Code:
E:Option ==> import wg11

        [✔] Config wg11 import success
 
For tested good config, you can rename it as wg11.conf and copy it into /opt/etc/wireguard.d/. Then in wgm,
Code:
E:Option ==> import wg11

        [✔] Config wg11 import success
It is preferable to retain the VPN ISP supplied Wireguard .config and allow the import command to create the target wg1X.conf which subsequently allows a comparison of the original file to confirm if the import is somehow corrupting the file as the OP states.

e.g. copy 'mlvd-us53.conf' to '/opt/etc/wireguard.d' then import it to an undefined 'wg1X.conf' such as wg11
Code:
e  = Exit Script [?]

E:Option ==> import mlvd-us53.conf name=wg11

          [✔] Config mlvd-us53 import as wg11 success

EDIT: As of wireguard_manager Beta v4.12b, the use of the 'name=' directive is no longer required, as the new default import behaviour will auto-import the WireGuard .conf as 'wg1X'
 
Last edited:
How do I permanentely disable the WAN killswitch?
If you have upgraded to version v4.12b as per post
then you can check on the current status of the KILL-Switch
Code:
e  = Exit Script [?]

E:Option ==> ?

    v4.12b1 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
    MD5=8ee37724678ee05e30af475e1fda254e /jffs/addons/wireguard/wg_manager.sh

    [✔] arch=aarch64

    wireguard: WireGuard 1.0.20210606 loaded. See www.wireguard.com for information.
    wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

    [✔] WireGuard Module is LOADED

    MD5=078460d2aa2a5a7839f7d5fd22cd2f77 wireguard-kernel_1.0.20210606-k27_1_aarch64-3.10.ipk
    MD5=3c3fef331578bcd20714a148b96257f8 wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk

    [✔] DNSmasq is listening on ALL WireGuard interfaces 'wg*'

    [✔] firewall-start is monitoring WireGuard Firewall rules

    [✖] WAN KILL-Switch is DISABLED (use 'vx' command for info)
    [✖] UDP monitor is DISABLED

    [ℹ ] Reverse Path Filtering ENABLED

    [✔] Statistics gathering is ENABLED

    WireGuard ACTIVE Peer Status: Clients 1, Servers 1
and follow the instructions.
 
That was it! I wasn't properly using name=wg11 during import. Thank you!
Apologies, I now realise that I hadn't actually directly replied to your query regarding import failures but instead unfortunately tagged @chongnt.

Glad you picked up the solution anyway.
 
I am getting this when try to start firewall. Any idea?
Code:
        [✖] firewall-start1257{cBRED} is NOT monitoring WireGuard Firewall rules - use 'wgm natstart' to ENABLE
...snipped...
E:Option ==> wgm natstart

        Invalid Option " Invalid Option "wgm natstart" Please enter a valid option" Please enter a valid option
 
Apologies, I now realise that I hadn't actually directly replied to your query regarding import failures but instead unfortunately tagged @chongnt.

Glad you picked up the solution anyway.
Thanks for the correction. I used to rename it to wg11.conf and import it. Anyway, I use NordVPN so there is no native wireguard config file available to download.
 
Thanks for the correction. I used to rename it to wg11.conf and import it. Anyway, I use NordVPN so there is no native wireguard config file available to download.
Ahh, OK - so if you have already manually created 'wg11.conf', then for the very first import by wireguard_manager it should be OK.

However, I wasn't sure if, having mangled the file, i.e. commented out certain directives say the DNS line, what happens when you come to import 'wg11.conf' a second time with no actual formal DNS directive?
 
I am getting this when try to start firewall. Any idea?
Code:
        [✖] firewall-start1257{cBRED} is NOT monitoring WireGuard Firewall rules - use 'wgm natstart' to ENABLE
...snipped...
E:Option ==> wgm natstart

        Invalid Option " Invalid Option "wgm natstart" Please enter a valid option" Please enter a valid option
Monitoring of the wireguard related firewall rules should be a standard part of the install, but follow the instruction at the bottom of this recent bug report post
 
Monitoring of the wireguard related firewall rules should be a standard part of the install, but follow the instruction at the bottom of this recent bug report post
Thanks @Martineau, it is working now.
Code:
E:Option ==> firewallstart

        firewall-start updated to protect WireGuard firewall rules

...snipped...

        [✔] firewall-start is monitoring WireGuard Firewall rules
 
@ZebMcKayhan , if you have time to test, let me know if this is OK
Looks great!

Code:
E:Option ==> uf dev
......
Code:
E:Option ==> createconfig
......

Initial status: killswitch disabled. live and in .conf, ? shows disabled

Code:
E:Option ==> killswitch on
Status: killswitch temporarily enabled, conf file still disabled

Code:
vx

#KILLSWITCH --> KILLSWITCH

Save & exit
Status: killswitch enabled

Code:
E:Option ==> killswitch off
Status: killswitch temporarily disabled, conf file still enabled.

Code:
vx

KILLSWITCH --> #KILLSWITCH

Save & exit
Status: killswitch disabled.

Nice touch by scraping the conf file to get proper ? status! This is much better than I dared to suggest!

//Zeb
 
It is preferable to retain the VPN ISP supplied Wireguard .config and allow the import command to create the target wg1X.conf which subsequently allows a comparison of the original file to confirm if the import is somehow corrupting the file as the OP states.

e.g. copy 'mlvd-us53.conf' to '/opt/etc/wireguard.d' then import it to an undefined 'wg1X.conf' such as wg11
Code:
e  = Exit Script [?]

E:Option ==> import mlvd-us53.conf name=wg11

          [✔] Config mlvd-us53 import as wg11 success
I don't quite get the name=wg11 from
Code:
11 = Import Wireguard configuration { [ "?" | [ "dir" directory ] | [/path/]config_file [ rename_as ] ]}
Is the "name=" required or would
Code:
E:Option ==> import mlvd-us53.conf wg11
Work aswell?

//Zeb
 
I don't quite get the name=wg11 from
Code:
11 = Import Wireguard configuration { [ "?" | [ "dir" directory ] | [/path/]config_file [ rename_as ] ]}
Is the "name=" required [/CODE]
Yes, it is required.

As yet unpublished v4.12b2 corrects the missing option 11 description syntax :oops:
Code:
+======================================================================+
|  Welcome to the WireGuard Manager/Installer script (Asuswrt-Merlin)  |
|                                                                      |
|                      Version v4.12b2 by Martineau                    |
|                                                                      |
+======================================================================+
    WireGuard ACTIVE Peer Status: Clients 1, Servers 1



1  = Update Wireguard modules                                           7  = QRcode for a Peer {device} e.g. iPhone
2  = Remove WireGuard/wg_manager                                        8  = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                                                        9  = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]                         10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ] 

4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients     11 = Import Wireguard configuration { [ "?" | [ "dir" directory ] | [/path/]config_file [ "name="rename_as ] ]} 
5  = Stop    [ [Peer... ] | category ] e.g. stop clients                                    
6  = Restart [ [Peer... ] | category ] e.g. restart servers                                 

?  = About Configuration                    
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')      

e  = Exit Script [?]

E:Option ==>

or would
Code:
E:Option ==> import mlvd-us53.conf wg11
Work aswell?
No

Without the 'name=', a 'client' peer 'mlvd-us53' is created and may run, but wireguard_manager would baulk at creating the necessary Policy tables as it expects to discard the expected interface naming standard 'wg1' prefix and replace it with '12' to create the target routing table

e.g. 121,122 thru 129.
 
[unintuitive/esoteric?] <- this comment line added by Martineau;)
Code:
E:Option ==> import mlvd-us53.conf name=wg11
@ZebMcKayhan

I have implemented your suggestion to auto-import Vendor supplied .conf files into the next available WireGuard designated interface 'slot' on the router, and relegated the use of import xxxxxx[.conf] name= requests for advanced users.

e.g. I already have 4 WireGuard 'client' peers configured (interfaces wg11 thru' wg14), and requested the import of Mullvad's file

'/opt/etc/wireguard.d/mlvd-us53.conf'

Code:
E:Option ==> import mlvd-us53

    [✔] Config mlvd-us53 import as wg15 success

This should eliminate all future end-user confusion/frustration ( as reported by new user @Stingray123 ) as the very first import request should now by default create wg11 (rather than mlvd-us53 as it would have done previously as allowed per the official wg=quick documentation)

1634640085329.png


NOTE: If the .conf file has a 'wg1' prefix then it will be honoured as the target interface name (assuming it is not already in use), unless overridden by the supplied name= directive.

e.g. Advanced users who may wish to retain 'mlvd-us53' as the WireGuard 'client' peer interface name would need to use:
Code:
E:Option ==> import mlvd-us53 name=mlvd-us53

Please download wireguard_manager v4.12b2 from the dev branch to test at your convenience.
Code:
e  = Exit Script [?]

E:Option ==> uf dev

    v4.12b2 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
    MD5=f38a9aadaf71ce119e83b83eebd602a9 /jffs/addons/wireguard/wg_manager.sh

<snip>
 
Last edited:
I think @ZebMcKayhan may have identified a bug with the WAN KILL-Switch feature.....however until I can release a possible fix....

Could you please issue:
Code:
e  = Exit Script [?]

E:Option ==> killswitch off
If there is still no internet you will need to provide a diagnostic dump
Code:
e  = Exit Script [?]

E:Option ==> diag
You should redact the Private key etc., and if you would rather not publically post the diag output then you can PM the output to me

EDIT: I see @ZebMcKayhan has already offered support!
Hey! Does the output from diag cmd gets saved as a file?
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top